[00:00.000 --> 00:03.950]  Twitch, please feel free to join the Discord.
[00:06.460 --> 00:11.370]  Https://discord.gg, Defcon, and join the conversation.
[00:13.040 --> 00:20.280]  All right, without further ado, let's discuss ClusterFuzz.
[01:10.100 --> 01:13.920]  Can, so you could potentially hack this vehicle.
[01:13.940 --> 01:18.800]  Please don't. It's great fun when it's driving. It's not fun when it's not.
[01:19.080 --> 01:22.540]  Um, a little disclaimer down the bottom there.
[01:22.540 --> 01:24.960]  Car hacking is done at your own risk.
[01:25.000 --> 01:29.500]  If you brick your own car, please do not blame me or the Car Hacking Village.
[01:30.080 --> 01:32.900]  So, on to my car hacking credentials.
[01:32.980 --> 01:38.240]  In 2007, I hacked my own vehicle, found an issue in the Hedge Unit,
[01:38.240 --> 01:44.460]  in which you could get access to personal information inside the Hedge Unit quite easily.
[01:44.520 --> 01:47.760]  I disclosed that information to the manufacturer itself.
[01:47.760 --> 01:53.920]  I then did a talk about it at Defcon Group in London, DC4420,
[01:53.920 --> 01:59.120]  B-side London Rookie Track, and Defcon 26 Car Hacking Village.
[01:59.220 --> 02:03.960]  In 2018, I was also invited to be one of 12 security researchers
[02:04.540 --> 02:08.280]  to go to Bug Crowd's live car hacking event.
[02:08.620 --> 02:14.300]  I then returned in 2019 to be one of 20 security researchers to go to
[02:15.020 --> 02:20.940]  the same event for the same manufacturer at their factory over in the US.
[02:21.460 --> 02:25.960]  Last year at Defcon 27, I was part of a Bug Crowd
[02:25.960 --> 02:31.760]  car hacking panel with Cyber Giddens and Spectres hosted by Chloe.
[02:32.500 --> 02:42.280]  I was also asked last year to go to the Auto Isaac Summit in Texas at Toyota's plant,
[02:42.280 --> 02:47.940]  where me and a couple of others were part of a car hacking vulnerability disclosure
[02:47.940 --> 02:50.620]  policy panel for HackerOne.
[02:51.680 --> 02:55.640]  I also now, for my sins, run the Car Hacking Village in the UK.
[02:56.840 --> 03:04.140]  I have my car in the box, PD0, which is all the electronics from a Peugeot 208 in a box,
[03:04.140 --> 03:09.980]  in quite a portable form. Not as portable as being globally movable, but
[03:10.820 --> 03:14.860]  last year I did about 13 events, one of which was in Europe.
[03:15.040 --> 03:21.060]  I have been asked to take it all the way around the world, India, Australia, Brazil, America,
[03:21.060 --> 03:26.440]  Egypt. The only continent I don't think I've been asked to go to is Antarctica.
[03:27.080 --> 03:29.120]  This year I was meant to do
[03:30.100 --> 03:35.660]  beside Stuttgart, beside Brussels, but things have happened, as we know,
[03:35.660 --> 03:37.940]  and there's been quite a few virtual conferences,
[03:37.940 --> 03:44.320]  which also means my car in the box will be available for the virtual.carhackingvillage.com
[03:45.200 --> 03:50.840]  CTF. If you look for PD0, there is two Raspberry Pis attached,
[03:50.840 --> 03:56.940]  one on two of the buses, one on the third. You can then basically hack that vehicle
[03:56.940 --> 04:02.220]  in a safe manner. You won't break anything really, unless you try really, really hard.
[04:03.400 --> 04:06.560]  It's quite good that it's actually going to be used at DEF CON
[04:07.200 --> 04:15.980]  without me leaving my own home. I will miss the people. However, travel is not really fun at the
[04:15.980 --> 04:23.160]  moment. So there are some hints and tips for the CTF for the Carhacking Village 101 in this
[04:23.160 --> 04:29.540]  presentation and the fuzzing that I will show you. You may want to pause and rewind some of this
[04:29.540 --> 04:34.840]  at a later time, but I'm not going to give you any more hints than that.
[04:35.400 --> 04:41.280]  So where do we start? The assumption is you all know what CAN is. Controller Area Network.
[04:41.280 --> 04:48.480]  It's a differential signalling communication system that allows lots of devices on a single
[04:48.480 --> 04:54.700]  bus to communicate, and has an arbitration system to allow the most important message to go out
[04:54.700 --> 05:00.440]  first. You don't really need to know much more about that, but if you want to have a read
[05:01.500 --> 05:08.280]  on Carhacker's Handbook by Craig Smith, it is a good read. So first things first,
[05:08.280 --> 05:15.020]  you need a cheap CAN adapter. I will go into those in a second. Once you have a cheap CAN adapter,
[05:15.020 --> 05:20.560]  you could try reading your own car. Be very careful if you do. I plugged in one of my own
[05:20.560 --> 05:29.040]  home-built CAN adapters into my 2017 Jaguar XE and managed to make the car lose its gearbox.
[05:29.580 --> 05:33.220]  Yeah, that was one of those moments where I was thinking, oops, I probably shouldn't have done
[05:33.220 --> 05:40.080]  that, and I was thinking pound signs. I did manage to get it back eventually, but it involves
[05:40.080 --> 05:46.120]  disconnecting the power for a considerable length of time, about 20 minutes. Plugging it back in,
[05:46.120 --> 05:50.740]  all the messages were then reset. However, the next morning when I went to drive it,
[05:50.740 --> 05:54.620]  it took about three and a half weeks to learn how to change gear again, because it had the
[05:54.620 --> 06:04.100]  automatic ZF gearbox as used in a lot of automatic vehicles these days. So slightly easier
[06:04.100 --> 06:11.140]  and slightly less dangerous is testing something that you can actually use outside of the vehicle.
[06:11.200 --> 06:15.540]  Do not test on your own vehicle, because if you break your own car and can't get Johnny to school
[06:15.540 --> 06:20.320]  in the morning, your missus will kill you and you will be doing the walk of shame in the rain.
[06:20.320 --> 06:27.420]  Not a good idea. So I'm going to show you an instrument cluster that I have. I will show you
[06:27.420 --> 06:35.760]  how to interpret a wiring diagram, what then is required for power supply, and then some tools
[06:35.760 --> 06:43.760]  that you can use. And I will show you some fuzzing, and you can see some results on the screen
[06:43.760 --> 06:51.240]  of what's actually happening. So first things first is the NanoCan adapter. I use this device
[06:51.240 --> 06:59.300]  as the PCB itself as my business card. I started doing it in early 2018 when I first started the
[06:59.300 --> 07:03.580]  Car Hacking Village, in that it was something I could give away at the conference to say,
[07:03.580 --> 07:09.780]  here's a way to start doing car hacking. All you need is five, ten dollars worth of components,
[07:09.780 --> 07:12.480]  which include an Arduino Nano,
[07:14.980 --> 07:24.080]  an MCP2515 module, a bit of wire, the PCB, and the OBD2 plug as shown there.
[07:25.980 --> 07:30.540]  What you would then do is solder it all together as shown on the GitHub
[07:32.260 --> 07:39.020]  instructions. You then can program the Arduino Nano with a basic sketch that reads all messages,
[07:39.020 --> 07:45.340]  and you get an output like this. You can reprogram it with other sketches that allow you to
[07:45.340 --> 07:50.960]  read and write data, but unless you know what you're doing, have a play with something first
[07:50.960 --> 07:57.520]  listening and not sending. Here is the same output but using Putty to interpret the data
[07:57.520 --> 08:06.760]  instead of the Arduino IDE. Again, if anyone wants one of these PCBs, hit me up on Slack or on
[08:06.760 --> 08:16.060]  Twitter or email me if you want to. I will put it in the post. If you're a distance away it might
[08:16.060 --> 08:23.400]  cost you the postage, which isn't that expensive. However, at the moment postage around the world
[08:23.400 --> 08:30.660]  is getting silly because of COVID costing extra money, but hit me up anyway. I will be online
[08:30.660 --> 08:38.560]  after this talk on the Discord channels for questions etc. Here's a second one of my
[08:38.560 --> 08:48.240]  adapters that I built. That is a PoundCoin 4Scale. That little device there is based on an ATTiny
[08:48.240 --> 08:56.740]  1614 processor which costs about 50 pence or about 50 cents, maybe a little bit less if you buy
[08:56.740 --> 09:10.660]  quantity. It uses the same MCP2515 CAN controller and a SN65HVD230 CAN transceiver from Texas
[09:10.660 --> 09:18.880]  Instruments. The other two are from Microchip. This will allow you to build a CAN device for
[09:18.880 --> 09:23.400]  probably less than three dollars for all the components there. However, you need some extra
[09:23.400 --> 09:27.640]  parts to actually connect it to the vehicle if you want to connect it to the vehicle.
[09:27.960 --> 09:34.540]  There are two versions of this board. The red board is the main brains. The other board behind
[09:34.540 --> 09:40.900]  it, the little blue board you can see there, has the power supply and the connectivity onto the
[09:40.900 --> 09:50.100]  CAN bus. This one here is for nefarious purposes in that you can program the board at the top to
[09:50.100 --> 09:54.400]  listen for certain messages. When it sees a certain message it can then start sending
[09:54.400 --> 10:00.400]  messages back onto the bus. This is powered from the CAN bus port. The blue PCB in the middle has
[10:00.400 --> 10:07.280]  the power supply that brings it down from 12 volts to 3.3 and the plug at the back will then go into
[10:07.280 --> 10:14.560]  the OBD2 port and allow you to do various things. Be careful when you're doing this, again you could
[10:14.560 --> 10:21.300]  break things unless you know what you're doing. The other version of the TinyCAN adapter is here.
[10:21.660 --> 10:28.620]  This is a green board in the middle. This green board has an extra connector for a USB to TTL
[10:28.620 --> 10:38.180]  adapter. This adapter allows you to connect it to a Linux system using SL-CAN, so serial line CAN
[10:38.180 --> 10:45.760]  and socket CAN and CAN utils. You can then send messages from the Linux system
[10:47.240 --> 10:53.640]  using CAN utils which I will go into in a second. This again, all of the hardware there is probably
[10:53.640 --> 10:58.780]  about seven dollars worth of hardware. At some point in the future I will put this up on GitHub
[10:58.780 --> 11:06.600]  as another repository. If you want me to, just pester me, I'll do it quicker.
[11:08.960 --> 11:15.560]  Another cheaper CAN adapter you can use if you've got a Raspberry Pi lying around doing not a lot.
[11:15.760 --> 11:22.020]  Here is the PiCAN for Raspberry Pi. This is made by SK Pang in the UK.
[11:22.840 --> 11:31.360]  It uses the similar Microchip CAN transceiver and CAN controller, however it's got a DB9 adapter
[11:31.360 --> 11:38.420]  to connect it to the CAN OBD2 port on the vehicle. You can also use the screw terminals.
[11:38.800 --> 11:44.980]  One little hint is just behind the DB9 connector are some solder pads. You have to solder them in
[11:44.980 --> 11:49.820]  such a way that it uses the correct pins, because there are two different versions of the same
[11:50.440 --> 11:54.880]  cable that may or may not work. It took me a while to work that one out, but
[11:55.840 --> 12:03.920]  this will cost you probably about 35 to 40 dollars, 35 to 40 UK pounds. The website there
[12:03.920 --> 12:10.120]  is in the UK, but I believe he sells them in the US as well through other outlets.
[12:11.000 --> 12:19.260]  Here again is a screenshot of CANdump showing CAN messages from the CAN bus.
[12:19.260 --> 12:25.460]  And finally out of the cheaper end of the CAN adapters is the CANtact,
[12:25.900 --> 12:33.720]  which is by Eric Evencheck, linked down the bottom there. This I believe is based on the STM32
[12:34.880 --> 12:42.660]  and inbuilt CAN controller and CAN transceiver. This has got the same 9-pin adapter on the end,
[12:43.640 --> 12:54.240]  a large USB-B connector. These retail I believe around 75 dollars, which is okay if you're in
[12:54.240 --> 13:00.040]  America, but if you're in the UK you get stuck with customs and VAT. The jumpers in the middle
[13:00.040 --> 13:06.840]  there are for changing which pins go to where, slightly similar to the PiCan. He's currently
[13:07.560 --> 13:14.160]  on Kickstarter though doing the CANtact Pro, which uses a slightly different processor
[13:14.160 --> 13:25.760]  that gives you two isolated CAN FD channels. Worth a look if you're interested in backing
[13:26.100 --> 13:31.200]  a Kickstarter. I might end up backing it myself if I haven't already done by then,
[13:31.200 --> 13:37.380]  by the time this goes out. So on to the instrument cluster itself. Here is the instrument
[13:37.380 --> 13:45.420]  cluster. It came from a Citroën DS3. They are not sold in the US. None of Citroën's group
[13:45.420 --> 13:59.120]  vehicles are sold in the US. This cost me about £30, which is probably about 25-ish dollars.
[13:59.120 --> 14:06.780]  You can get these from eBay, Scrapyard yourself, Vehicle Dismantler, Recycler etc.
[14:07.180 --> 14:12.760]  This one has an OBD2 port underneath in the middle there. This is because I use it for
[14:12.760 --> 14:21.880]  training purposes. So this is a very similar instrument cluster with regard to messages
[14:21.880 --> 14:30.140]  as my car in the box. A little hint here, listen up. The car in the box is based on a Peugeot 208,
[14:30.140 --> 14:35.980]  which is a similar sized vehicle to a DS3. However, it's just got a slightly different
[14:35.980 --> 14:41.520]  cluster. The message structures are very similar, if not the same.
[14:42.540 --> 14:47.520]  Here's the back of the instrument cluster. As you can see, there's some screw holes which
[14:47.520 --> 14:54.720]  hold it into the vehicle. One of which screw holes is blocked up with a barrel jack socket.
[14:55.980 --> 15:04.260]  You've then got a 18-pin connector for the device. If you are purchasing it from a
[15:04.260 --> 15:09.740]  vehicle recycler or scrapyard, see if you can get the cable as well because it's always easier
[15:09.740 --> 15:15.260]  to attach something to a cable that goes in specifically to that device, as opposed to
[15:15.260 --> 15:19.840]  DuPont cables and trying to select the right cable.
[15:21.080 --> 15:31.840]  Just zoom in on the plug itself. It's 18 pins. Pin 1 is bottom right, pin 9 is top right,
[15:31.840 --> 15:42.700]  pin 10 is bottom left, pin 18 is top left, and as you can see there, pin 8 is CAN HIGH,
[15:42.700 --> 15:50.900]  pin 9 is CAN LOW, pin 15 is 12V, and pin 18 is GROUND. Some of the other pins do things,
[15:50.900 --> 15:55.660]  some of the other pins do not. But be careful because you may break things if you send
[15:55.660 --> 16:02.680]  the wrong voltage up the wrong pin. So how do you work out what pin does what? You have to get the
[16:02.680 --> 16:11.860]  wiring diagram. This is the wiring diagram for the DS3 for the head unit and infotainment system.
[16:12.820 --> 16:20.680]  If you zoom in right in the middle of there, there is the device that is the instrument cluster.
[16:20.680 --> 16:26.600]  As you can see it has a little microprocessor and a couple of dials that basically shows you
[16:26.600 --> 16:35.940]  what's inside it. It means it's got some brains and it is a cluster. There is a
[16:35.940 --> 16:41.080]  key that tells you 0004 is an instrument cluster, however it might be called something else
[16:41.700 --> 16:50.160]  as in the language that it was originally written in, say in French. Looking at the wiring it says
[16:50.160 --> 17:02.860]  18V which means it's 18 pins. BA means the color of the plug which I believe is white. I can't
[17:02.860 --> 17:13.100]  remember. I may be wrong but pin 18 or green is ground. Pin yellow is switched live. Pins 8 and
[17:13.100 --> 17:19.660]  9 are CAN HIGH and CAN LOW. It's sort of potluck on that one. You might get it right first time,
[17:19.660 --> 17:25.660]  you might not. But if you don't get any messages back out of the device, swap them over and see
[17:25.660 --> 17:33.760]  what happens. So power supply. This power supply here came from Amazon. It's a USB to 12V
[17:34.400 --> 17:40.140]  barrel jack. So USB at 5V at one end, it's got a boost converter in the middle.
[17:40.360 --> 17:44.480]  That then can step it up to the 12V that is required for the cluster.
[17:45.160 --> 17:50.860]  Technically you need 13 point something volts if it was running with the alternator at full
[17:50.860 --> 17:57.020]  chat, but 12V should be enough. You could potentially use an ATX power supply,
[17:57.020 --> 18:01.160]  but I think it's overkill to have something that could potentially put 40 amps through it.
[18:01.160 --> 18:10.460]  So this is slightly safer. So on to the Linux software. When using CAN under Linux you need
[18:10.460 --> 18:16.180]  the package that is called CANutils. If you're running on a Raspberry Pi,
[18:16.180 --> 18:21.460]  install CANutils. It will then install all these components here.
[18:22.360 --> 18:27.040]  CANdump, it will basically output all CAN messages from the bus that is currently
[18:27.620 --> 18:35.740]  coming off the CAN bus. CANsniffer shows all messages that are changing on the bus.
[18:35.800 --> 18:42.120]  It does not show by default any message that is static. It will remove them from the screen,
[18:42.120 --> 18:46.780]  only shows you stuff that's changing. You can then make it highlight things to show
[18:46.780 --> 18:52.190]  when things change and when things don't. You can make it show all messages,
[18:52.560 --> 18:59.180]  but it's just one of the options. CANsend allows sending of a single CAN message.
[18:59.800 --> 19:04.040]  If you're very good at shell scripting you may be able to use that to send multiple
[19:04.040 --> 19:09.980]  messages in a for loop. It's not that easy to do unless you're really shithot
[19:09.980 --> 19:16.920]  at doing bash scripts. CANgen is a slightly better version of the same thing,
[19:16.920 --> 19:21.960]  in that it can generate messages either randomly or with specified logic.
[19:22.640 --> 19:28.980]  Finally, the last part is CANplayer. Basically, this will replay messages that you have logged
[19:28.980 --> 19:38.440]  to a text file using CANdump. And then you can then record something on a vehicle,
[19:38.440 --> 19:42.640]  bring it back to your cluster, and then replay it and see what happens.
[19:42.640 --> 19:47.960]  And then by selectively grepping those messages, you could replay it and find out which message
[19:47.960 --> 19:53.400]  does the speed, which message does whatever, or just fuzz it and see what happens.
[19:53.880 --> 19:55.940]  So, shall we start fuzzing?
[28:17.380 --> 28:21.680]  Good morning, good afternoon, good evening, depending on which time zone you're in.
[28:21.680 --> 28:27.640]  I'm Ian Tabor, or atminternet. This is my talk about Car Hacking Village.
[28:27.640 --> 28:31.600]  Sorry, Ian, we accidentally restarted.
[28:32.820 --> 28:37.260]  First things first, who am I? You could sound the ultimate car hacker.
[28:37.380 --> 28:39.960]  I built this kit car 15 years ago now.
[28:40.740 --> 28:45.400]  But I think we can probably take questions, yeah?
[28:46.160 --> 28:50.840]  It was just about finished. You were working on the fuzzing of
[28:50.840 --> 28:56.260]  and showing the different possibilities to fuzz the...
[29:28.900 --> 29:29.860]  Okay.
[29:32.140 --> 29:44.340]  So, if you do have questions to MintyNed or to Ian, please go ahead,
[29:44.340 --> 29:53.620]  write them in the text, the support, the CHV 101 support text group, and we can answer them.
[29:55.460 --> 30:07.060]  Ian, can you describe to us a little bit about what you built up there with your test rig?
[30:31.540 --> 30:38.850]  Got a lot of wiring there. And it actually thinks it's a running vehicle.
[30:38.850 --> 30:44.850]  So, not only does the lights work, and there's an indicator to show you like something on and off,
[30:44.850 --> 30:53.720]  etc. The engine thinks it's rotating by the Arduino attached to the crank and cam sensors.
[30:54.250 --> 31:00.410]  And that is basically spoofing the correct waveform that is used by the crank and cam
[31:00.410 --> 31:03.430]  sensors to work out where the engine is in the firing order.
[31:03.850 --> 31:09.310]  And then an indicator showing the injectors and the fuel being fired.
[31:09.310 --> 31:13.250]  So, if you were here in person, you would actually be able to see the lights flashing
[31:13.250 --> 31:22.510]  to show spark going off. There are some other simulators being used as well.
[31:22.510 --> 31:29.170]  So, there's a couple of potentiometers for the fuel gauge and the water temperature gauge.
[31:29.170 --> 31:35.430]  So, if you twist the fuel gauge potentiometer, you can make the fuel gauge go up and down.
[31:35.730 --> 31:39.430]  But it's still connected to where the fuel gauge would normally be.
[31:40.310 --> 31:46.950]  There's also a O2 simulator, which is required to get rid of one of those annoying
[31:47.710 --> 31:57.830]  engine warning lights. But that uses a 555 timer to generate an AC wave on a DC offset.
[31:57.830 --> 32:03.690]  And basically, it just varies between mean, rich, mean, rich, mean, rich,
[32:04.330 --> 32:12.110]  for both the pre and post. So, that's that.
[32:12.110 --> 32:17.250]  The hardest one to actually simulate is actually to get the car to think it was moving.
[32:17.750 --> 32:22.430]  So, originally, I tried to do it using an Arduino or something with a similar
[32:26.870 --> 32:34.530]  microcontroller. But I actually had to do it using a motor and a plastic disc.
[32:34.530 --> 32:39.690]  And it's actually a plastic disc with a reluctor ring that would normally be on your
[32:40.490 --> 32:48.090]  sub-axle attached to your wheel. So, there is a single motor with a reluctor ring attached to
[32:48.310 --> 32:54.910]  a plastic. Around that motor is four wheel speed sensors. And then there is an Arduino
[32:54.910 --> 33:01.930]  attached to that motor using PWM to vary the speed of that motor, and then thus vary the
[33:03.270 --> 33:09.490]  speed of the wheels that it thinks are rotating. There is then some feedback to that same circuitry
[33:09.490 --> 33:15.970]  that reads the speed of the can bus to see how fast it thinks it's going,
[33:15.970 --> 33:21.550]  try and match one to the other. But I was playing around with it earlier to try and
[33:21.550 --> 33:26.150]  fix it to make it slightly more accurate. And I worked with the encoder on the Arduino.
[33:26.190 --> 33:33.190]  So, I'm just really writing it as we speak. But I can get it to go full tilt, which means it goes
[33:33.190 --> 33:40.470]  at 181 miles an hour. And if you've ever seen a Project 208, I wouldn't want to do 181 now.
[33:41.190 --> 33:49.370]  I think it wrote itself a bit fast, but yeah. Disco mode is quite trippy.
[33:50.270 --> 33:57.190]  I have a couple of my little nano cans, or tiny cans, configured so that it sends it
[33:57.190 --> 34:02.890]  into Disco mode, makes all the dials go absolutely nuts. It's always good to show someone
[34:03.730 --> 34:09.950]  what you can do with CAN by just sending the right messages, but slightly faster,
[34:09.950 --> 34:18.630]  you would actually want to send them. My car in a box probably cost me about £2,000 to build.
[34:20.230 --> 34:24.870]  But I could have probably done it a bit cheaper by buying a whole car and saving the bits I didn't
[34:24.870 --> 34:29.490]  actually use. But then you've got the whole hassle of disposing of parts off the interior
[34:29.490 --> 34:37.210]  and body shells. I may be making another one again soon. But that's for my work.
[34:43.670 --> 34:47.150]  Which car are you thinking about doing next?
[34:47.930 --> 34:53.310]  I don't know, it depends on the budget. They won't tell me the budget yet.
[34:55.830 --> 35:00.690]  So if you can lend me one, I don't mind. I'll build one for you if you like.
[35:01.590 --> 35:05.510]  Well, I would really love for you to do it for me, actually.
[35:07.210 --> 35:10.870]  But I think this is something we'll have to talk about offline, huh?
[35:11.230 --> 35:19.750]  Yep. All right. Any more questions? Actually, I don't see so many questions in the chats.
[35:23.890 --> 35:30.450]  What's that? Apologies for the audio. I will be around tomorrow to talk over it.
[35:31.570 --> 35:36.870]  Yeah, it's pretty strange what happened. But it's, you know, this is part of the fun with
[35:36.870 --> 35:47.270]  our first virtual conference. So totally understandable. We'll try to fix it for next
[35:47.270 --> 35:58.970]  time. Ian, just quickly, because we're all beginners in this chat, in this talk,
[35:58.970 --> 36:05.890]  what type of tools or what can you tell us a little bit more about where you learn,
[36:05.890 --> 36:11.230]  which hardware you're using, which software you're using, what tools would you recommend?
[36:11.230 --> 36:27.940]  The stuff I've already mentioned in the talk, I've previously used on numerous occasions.
[36:28.480 --> 36:35.140]  There are the microcontrollers that have built-in fan controllers in them. There are also
[36:35.700 --> 36:43.620]  software for those on GitHub as well. And quite funny, when I was at the
[36:43.620 --> 36:51.860]  Bug Bash in 2018, we found a major vulnerability with the hardware that cost me about $30
[36:52.740 --> 36:59.900]  worth of hardware. And we got a payout of five figures, because we were just a bit cheeky and
[36:59.900 --> 37:05.580]  found somewhere that the manufacturer hadn't thought of which software to actually break
[37:05.580 --> 37:10.580]  into the vehicle from. I won't tell you which vehicle, I won't tell you exactly how I broke
[37:10.580 --> 37:19.160]  into the vehicle. But yeah, you can buy very expensive things, like vehicles by value counting,
[37:19.160 --> 37:27.440]  things like that. But I would start at the beginning with something in the, like,
[37:27.440 --> 37:32.720]  nano-fan or something like that, just to see what you want to do, whether you can actually
[37:33.360 --> 37:38.700]  get used to it more than anything. Because there's no point in spending a few hundred dollars on
[37:38.700 --> 37:45.020]  hardware, and then you do it three times, and then you leave it and go, oh no, you've wasted
[37:45.020 --> 37:52.320]  your money. You may be able to resell it, you may not. But if you build something yourself,
[37:52.320 --> 37:59.980]  for five, ten dollars, it's no big deal if you never actually use it again.
[38:00.740 --> 38:05.320]  So, granted, yes, if I worked in one of those companies and I got them for free, I would say,
[38:05.320 --> 38:10.740]  buy one of those really expensive ones. But I don't, and I didn't, and I've managed to get
[38:10.740 --> 38:20.510]  through quite well where I am at the moment. Okay, well, Ian, thank you so much for the
[38:20.510 --> 38:28.210]  information, the great talk and presentation as well. I think we don't have any further questions,
[38:28.210 --> 38:32.950]  so unless you have something you would like to say to the audience, I think we can close out for
[38:32.950 --> 38:40.490]  today. If anyone needs any help with any of the challenges related to PvZero, just hit me up on
[38:40.490 --> 38:49.650]  Discord. I'm at Minternet on Twitter. I'm here to help. If you want me to make the car do other
[38:49.650 --> 38:56.270]  things so you can see what's going on, I can interact with it, make it go faster or slower,
[38:56.270 --> 39:02.310]  turn lights on, turn lights off, so you can see what's going on. I don't mind.
[39:04.150 --> 39:08.190]  If you don't do it, I'll just be sat here trying to rewrite that bit of software,
[39:09.010 --> 39:17.510]  getting a little more depressed. But yes, it's very strange being in Vegas time but being in London.
[39:18.430 --> 39:24.530]  And you're talking about the CTF or the virtual car hacking, of course, right?
[39:24.790 --> 39:25.470]  Yeah.
[39:27.570 --> 39:34.210]  Great. Well, Ian, thank you so much for the great talk. I'm sure everybody learned a lot.
[39:35.670 --> 39:42.890]  We have the next talk coming up in about 20 minutes. We're going to be talking about Bluetooth
[39:42.890 --> 39:50.210]  security and automotive with Kamil. So if you guys want to come learn about what's going on
[39:50.210 --> 39:57.710]  in Bluetooth security, please come join us here in 20 minutes. We'll be right back with Kamil,
[39:57.710 --> 40:05.290]  and he's going to talk about the Bluetooth interfaces of vehicles. All right. Thank you
[40:05.290 --> 40:06.330]  very much, guys.
